Task 6.3 ZBFW alternative

I tested this with ICMP and it worked fine aswell

access-list 125 permit tcp any host eq smtp
access-list 125 permit tcp host eq smtp any
class-map type inspect match-all SMTP-INSPECT
match protocol smtp
match access-group 125
policy-map type inspect BB2BB3
class type inspect SMTP-INSPECT
class class-default
zone-pair security BB2BB3 source BB2 destination BB3
service-policy inspect BB2BB3
zone-pair security BB3BB2 source BB3 destination BB2
service-policy inspect BB2BB3
interface FastEthernet0/1.52
zone-member security BB2
interface FastEthernet0/1.53
zone-member security BB3


  • Yes this ZBFW will work fine.  I did include a third Zone i.e. all the other interfaces on R5 as Internal and allowed everything from this to the others and vise-versa.  Did you check traffic from the internal network to the BBs?

    My real issue was with the wording of 6.2 with 6.3 as one access-list is required to match on the server and that seems to break 6.2's request to have no access-lists?

    Oh, and to use ZBFW is seriously longer and more complex than a single service-policy.

Sign In or Register to comment.